Lobby Admin and TACACS

Unanswered Question
Aug 9th, 2007

I have gone through and setup our Helpdesk users to authenticate against TACACS when they login to our WCS server. They are configured with the Lobby Ambassador roles.

The first question is why can't the admin create guest accounts through the wcs?

The second question is, how do you audit what the lobby admin's are doing? Is it done through TACACS (ACS server) or on the WCS, or do I need to login to each controller and check that way.

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
CHRISTOPHER KANE Fri, 08/10/2007 - 06:36

I'm glad you've posted this question. I have exactly the same scenario. Without a response yet from this forum, my only thought for a work around is to use one of my four WLCs as dedicated for our Helpdesk to create Guest accounts on.


charlesdf22 Fri, 08/10/2007 - 07:20

That's garbage. I can't believe that there is no way to track or log the changes being made.

Do you have the same issue with Admin's not being able to create Guest Accounts?

CHRISTOPHER KANE Fri, 08/10/2007 - 15:32

Check out page 7-2 of the WCS Config Guide for version 4.1. Here's the snippet that is causing our problem, "This section describes how to configure a WCS user. The accounting portion of the AAA framework is

not implemented at this time." We have it setup that our HelpDesk folks authenticate into WCS via TACACS and TACACS (via Authorization) drops them in as LobbyAmbassadors. Since WCS doesn't log (no accounting), we cant audit what guest accounts were created by whom.

I do not have any idea as to why only AA of AAA would be implemented?

IRT your question about Admins - we have not put anyone in that Group yet. The network team is configured in the SuperUsers group.

So our question remains unanswered. How can we audit folks that we've empowered to create Guest accounts? We'd want to know the person who created the account and when.


CHRISTOPHER KANE Mon, 08/13/2007 - 07:49


We may have found a workaround that gets us what we need. Again, the issue I'm most interested in addressing is the lack of AAA (last A) between WCS and ACS when using TACACS as the method to authenticate the folks that I want to be Lobby Ambassadors. I must be able to audit who has created Guest accounts and when the account was created.

If you create an account in WCS using the same username as their (by 'their' I mean the non-IT type personnel that we've empowered to be Lobby Ambassadors) username in ACS, then you can see the Audit Trail. The information was there all along, it's just that 1) WCS doesn't let you see the log locally if there is no account to match it and 2) WCS doesn't forward the information to ACS.

So I went in and added all of our admins as local accounts and set them up as Lobby Ambassadors. Administration > AAA > Users > Add User. I just made up a password for them. The cool part is that the password I made for their local account in WCS doesn't come in to play. They are still authenticated against ACS.




This Discussion



Trending Topics - Security & Network